opendatahub-io/notebooks#1595: chore: pin micropipenv and uv versions in Dockerfile pip install commands for reproducible builds

[jiridanek]

Description

• Pin micropipenv and uv versions in Dockerfile pip install commands for reproducible builds #1595

How Has This Been Tested?

Merge criteria:

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

Summary by CodeRabbit

• Chores
  • Pinned dependency installer versions across all Python 3.11/3.12 images (CPU/CUDA/ROCm) to ensure deterministic, reproducible builds: micropipenv[toml]==1.9.0 and uv==0.8.12.
  • Applies to development and runtime images used in code servers, Jupyter, RStudio, and related runtimes.
  • No functional changes to features or workflows; builds are more stable and predictable.

[coderabbitai]

Walkthrough

All modified Dockerfiles and the Dockerfile fragment generator now pin Python tooling installs to exact versions: micropipenv[toml]==1.9.0 and uv==0.8.12. Multiple files previously installing unpinned micropipenv[toml] and uv were changed. No other instructions, control flow, or public APIs were altered.

Changes

Cohort / File(s)	Summary
Jupyter Dockerfiles jupyter/datascience/ubi9-python-3.11/Dockerfile.cpu, jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu, jupyter/minimal/ubi9-python-3.11/Dockerfile.cpu, jupyter/minimal/ubi9-python-3.11/Dockerfile.cuda, jupyter/minimal/ubi9-python-3.11/Dockerfile.rocm, jupyter/minimal/ubi9-python-3.12/Dockerfile.cpu, jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda, jupyter/minimal/ubi9-python-3.12/Dockerfile.rocm, jupyter/pytorch/ubi9-python-3.11/Dockerfile.cuda, jupyter/pytorch/ubi9-python-3.12/Dockerfile.cuda, jupyter/pytorch+llmcompressor/ubi9-python-3.11/Dockerfile.cuda, jupyter/rocm/pytorch/ubi9-python-3.11/Dockerfile.rocm, jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm, jupyter/rocm/tensorflow/ubi9-python-3.11/Dockerfile.rocm, jupyter/rocm/tensorflow/ubi9-python-3.12/Dockerfile.rocm, jupyter/tensorflow/ubi9-python-3.11/Dockerfile.cuda, jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda, jupyter/trustyai/ubi9-python-3.11/Dockerfile.cpu, jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu	Replace unpinned pip installs with pinned versions: micropipenv[toml]==1.9.0 and uv==0.8.12. Some files contain two occurrences. No other edits.
Runtimes Dockerfiles runtimes/datascience/ubi9-python-3.11/Dockerfile.cpu, runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu, runtimes/minimal/ubi9-python-3.11/Dockerfile.cpu, runtimes/minimal/ubi9-python-3.12/Dockerfile.cpu, runtimes/pytorch/ubi9-python-3.11/Dockerfile.cuda, runtimes/pytorch/ubi9-python-3.12/Dockerfile.cuda, runtimes/pytorch+llmcompressor/ubi9-python-3.11/Dockerfile.cuda, runtimes/rocm-pytorch/ubi9-python-3.11/Dockerfile.rocm, runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.rocm, runtimes/rocm-tensorflow/ubi9-python-3.11/Dockerfile.rocm, runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.rocm, runtimes/tensorflow/ubi9-python-3.11/Dockerfile.cuda, runtimes/tensorflow/ubi9-python-3.12/Dockerfile.cuda	Pin pip installs to micropipenv[toml]==1.9.0 and uv==0.8.12. No other changes.
Codeserver & RStudio Dockerfiles codeserver/ubi9-python-3.11/Dockerfile.cpu, codeserver/ubi9-python-3.12/Dockerfile.cpu, rstudio/c9s-python-3.11/Dockerfile.cpu, rstudio/c9s-python-3.11/Dockerfile.cuda, rstudio/rhel9-python-3.11/Dockerfile.cpu, rstudio/rhel9-python-3.11/Dockerfile.cuda	Pin micropipenv[toml] and uv to versions 1.9.0 and 0.8.12 respectively. No other modifications.
Build script scripts/dockerfile_fragments.py	Update generated fragment to install micropipenv[toml]==1.9.0 and uv==0.8.12 instead of unpinned.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related issues

• Pin micropipenv and uv versions in Dockerfile pip install commands for reproducible builds #1595 — Also proposes pinning micropipenv and uv in Dockerfiles; this PR implements version pinning across similar files.
• Pin Python tooling versions or consider removing micropipenv/uv from base images base-images#35 — Targets the same pip install lines for micropipenv and uv in base Dockerfiles; this PR performs that pinning.

Possibly related PRs

• RHOAIENG-21690: chore(Dockerfiles): augument micropipenv with uv for faster package installs #968 — Modifies the same Dockerfile install commands by introducing uv and changing install flow; this PR further standardizes those lines with version pins.

Suggested labels

lgtm, tide/merge-method-squash, size/l

Suggested reviewers

• caponetto
• dibryant

Tip

🔌 Remote MCP (Model Context Protocol) integration is now available!

Pro plan users can now connect to remote MCP servers from the Integrations page. Connect with popular remote MCPs such as Notion and Linear to add more context to your reviews and chats.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jstourac for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 5

🧹 Nitpick comments (26)

runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu (1)

23-23: ✓ Pinning Verified: micropipenv 1.9.0 & uv 0.8.12

All Python 3.12 Dockerfiles (including this one at runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu:23) pin both packages correctly, and both versions exist on PyPI. Repo-wide ripgrep confirms no unpinned installs in the 3.12 images.

Optional: centralize these version values to simplify future bumps:

ARG MICROPIPENV_VERSION=1.9.0
ARG UV_VERSION=0.8.12
RUN pip install --no-cache-dir -U \
    "micropipenv[toml]==${MICROPIPENV_VERSION}" \
    "uv==${UV_VERSION}"

runtimes/rocm-tensorflow/ubi9-python-3.12/Dockerfile.rocm (1)

23-23: Pinning looks good; consistent with the PR’s objective.

Exact pins for micropipenv and uv support reproducibility. Given prior analysis that micropipenv is unused in our 3.12 images, consider removing it in the dedicated cleanup (issue #1685) rather than here.

If you want easier future bumps, you can introduce build args and reuse them:

- RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+ ARG MICROPIPENV_VERSION=1.9.0
+ ARG UV_VERSION=0.8.12
+ RUN pip install --no-cache-dir -U "micropipenv[toml]==${MICROPIPENV_VERSION}" "uv==${UV_VERSION}"

runtimes/tensorflow/ubi9-python-3.11/Dockerfile.cuda (1)

23-23: Good pinning; aligns with 3.11 policy to keep micropipenv present.

This keeps builds reproducible and respects the “don’t remove micropipenv from 3.11 images” policy.

Prefer invoking pip via the interpreter for robustness in multi-Python environments:

- RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+ RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

codeserver/ubi9-python-3.12/Dockerfile.cpu (1)

23-23: Pinning is correct and consistent.

This ensures the uv CLI used later is the intended version, improving determinism across rebuilds.

Use the interpreter to call pip:

- RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+ RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

jupyter/rocm/pytorch/ubi9-python-3.11/Dockerfile.rocm (1)

36-36: LGTM on pinning; reproducibility improved.

Matches the PR intent and 3.11 retention policy for micropipenv.

Slight robustness improvement:

- RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+ RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

runtimes/tensorflow/ubi9-python-3.12/Dockerfile.cuda (2)

23-23: Prefer invoking pip via the interpreter for robustness

Using python -m pip avoids PATH/symlink surprises if multiple interpreters are present.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

---

23-23: Note: micropipenv is unused in 3.12 images — cleanup tracked separately

This pin is fine for now. As discussed and tracked in issue #1685, micropipenv installations in Python 3.12 images are not used and can be removed later to reduce image size. No action required in this PR.

codeserver/ubi9-python-3.11/Dockerfile.cpu (1)

23-23: Minor: use python -m pip to bind pip to the correct interpreter

Safer invocation pattern within container images.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml)==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

jupyter/minimal/ubi9-python-3.12/Dockerfile.cuda (2)

23-23: Nit: prefer python -m pip over pip

Improves robustness against PATH ambiguities.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

---

23-23: Future cleanup: micropipenv not used on 3.12 images

This PR is scoped to pinning only, which is fine. Just noting that removal for 3.12 images is already tracked in issue #1685 to trim image size.

runtimes/pytorch/ubi9-python-3.12/Dockerfile.cuda (2)

23-23: Use python -m pip for consistency with the active interpreter

Minor robustness improvement.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

---

23-23: Heads-up: micropipenv appears unused on 3.12 images

No change requested here; just noting the planned cleanup tracked in #1685 to reduce footprint.

runtimes/minimal/ubi9-python-3.11/Dockerfile.cpu (1)

30-30: Nit: prefer python -m pip

Bind pip to the right interpreter explicitly.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

rstudio/c9s-python-3.11/Dockerfile.cuda (1)

9-9: Optional: centralize tool versions via ARGs for easier bumps

Consider defining MICROPIPENV_VERSION and UV_VERSION as build args near the top and referencing them in the RUN line. This keeps Dockerfiles consistent with scripts/dockerfile_fragments.py and simplifies version bumps across many files.

Example change in this file:

+ARG MICROPIPENV_VERSION=1.9.0
+ARG UV_VERSION=0.8.12
- RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+ RUN pip install --no-cache-dir -U "micropipenv[toml]==${MICROPIPENV_VERSION}" "uv==${UV_VERSION}"

runtimes/rocm-pytorch/ubi9-python-3.12/Dockerfile.rocm (1)

23-23: Note: micropipenv may be removable from 3.12 images in future (tracked separately)

Per prior analysis, many 3.12 images install micropipenv without using it. Not a blocker here, but consider following up under the existing cleanup effort to avoid unnecessary footprint.

If helpful, I can prepare a scoped follow-up PR that removes unused micropipenv from 3.12 images while keeping 3.11 images intact per policy.

jupyter/datascience/ubi9-python-3.11/Dockerfile.cpu (1)

36-36: Nit: prefer invoking pip via the interpreter

Using python -m pip avoids PATH/alias ambiguities and is more robust across environments.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

jupyter/rocm/pytorch/ubi9-python-3.12/Dockerfile.rocm (1)

36-36: FYI: Follow-up cleanup for 3.12 images (tracked elsewhere)

This keeps installing micropipenv on Python 3.12 images. As noted in the ongoing cleanup effort (issue #1685), micropipenv is unused on 3.12 and could be removed in a separate PR. No change requested here.

scripts/dockerfile_fragments.py (2)

31-31: Extract versions to module-level constants and use python -m pip

Centralizing the versions makes future bumps trivial and reduces drift; invoking pip via the interpreter is more robust.

Apply this diff to the changed line:

-            textwrap.dedent('''RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"'''),
+            textwrap.dedent(f'''RUN python -m pip install --no-cache-dir -U "micropipenv[toml]=={MICROPIPENV_VERSION}" "uv=={UV_VERSION}"'''),

Add these near the top of the file (outside the changed range):

# Centralized tool versions for reproducible builds
MICROPIPENV_VERSION = "1.9.0"
UV_VERSION = "0.8.12"

---

31-31: Add a CI check for pinned micropipenv and uv versions

We ran the verification script across all Dockerfiles and confirmed that every RUN pip install … micropipenv[toml]==1.9.0 and uv==0.8.12 is already pinned correctly. To guard against future version drift, integrate the following check as a CI step (for example, in .github/workflows/validate-dockerfiles.yml):

#!/usr/bin/env bash
set -euo pipefail

MICRO="1.9.0"
UV="0.8.12"
missing=0

# Iterate over all Dockerfiles
fd -a '^Dockerfile.*$' | while read -r f; do
  # micropipenv pin check
  grep -En 'pip install.*micropipenv' "$f" | while IFS=: read -r lno line; do
    if ! grep -q "micropipenv\[toml\]==${MICRO}" <<< "$line"; then
      echo "$f:$lno: ERROR — micropipenv not pinned to ${MICRO}: $line"
      missing=1
    fi
  done

  # uv pin check
  grep -En 'pip install.*\buv\b' "$f" | while IFS=: read -r lno line; do
    if ! grep -q "uv==${UV}" <<< "$line"; then
      echo "$f:$lno: ERROR — uv not pinned to ${UV}: $line"
      missing=1
    fi
  done
done

if [ "$missing" -ne 0 ]; then
  echo "❌ Dockerfile version pin verification failed."
  exit 1
fi

echo "✅ All Dockerfiles correctly pin micropipenv[toml]==${MICRO} and uv==${UV}."

• Place this script in your repo (e.g. scripts/verify-docker-pins.sh)
• Add a CI job that runs it on every PR to catch any unpinned changes early

rstudio/c9s-python-3.11/Dockerfile.cpu (1)

9-9: Nit: prefer python -m pip

More resilient invocation pattern in containerized environments.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

jupyter/trustyai/ubi9-python-3.11/Dockerfile.cpu (1)

36-36: Nit: use python -m pip

Prefer interpreter-qualified pip to avoid PATH ambiguity.

Apply this diff:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN python -m pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"

jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu (1)

36-36: Note: micropipenv in Python 3.12 images is slated for removal (tracked separately)

Pinning is fine here for reproducibility. As a separate cleanup (already tracked in issue #1685), Python 3.12 images plan to drop micropipenv entirely; this PR need not change scope.

jupyter/tensorflow/ubi9-python-3.12/Dockerfile.cuda (1)

36-36: Minor note: 3.12 images still include micropipenv

This PR rightly focuses on version pinning. Cleanup for removing micropipenv from 3.12 images is a separate effort already tracked (no action needed here).

rstudio/rhel9-python-3.11/Dockerfile.cpu (1)

9-10: Optional: consider centralizing versions via build args or fragments for easier updates.

Not blocking this PR, but defining MICROPIPENV_VERSION and UV_VERSION as ARGs (or ensuring scripts/dockerfile_fragments.py owns these constants) would reduce future churn across many Dockerfiles.

Example:

ARG MICROPIPENV_VERSION=1.9.0
ARG UV_VERSION=0.8.12
RUN pip install --no-cache-dir -U "micropipenv[toml]==${MICROPIPENV_VERSION}" "uv==${UV_VERSION}"

runtimes/minimal/ubi9-python-3.12/Dockerfile.cpu (1)

30-31: FYI: micropipenv presence in 3.12 images is slated for cleanup (issue #1685).

No action required in this PR, but note that 3.12 images reportedly don't use micropipenv. This pin keeps builds reproducible until that cleanup lands.

runtimes/pytorch+llmcompressor/ubi9-python-3.11/Dockerfile.cuda (1)

159-161: Remove redundant micropipenv reinstall here; keep only uv.

Once the earlier micropipenv install is pinned, this later block can install only uv to avoid redundant reinstalls and save build time.

Apply this diff to the current block:

-RUN pip install --no-cache-dir -U "micropipenv[toml]==1.9.0" "uv==0.8.12"
+RUN pip install --no-cache-dir -U "uv==0.8.12"

[daniellutz]

/lgtm

[openshift-ci]

@jiridanek: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/notebooks-py312-ubi9-e2e-tests	8c2c917	link	true	/test notebooks-py312-ubi9-e2e-tests
ci/prow/rocm-runtimes-ubi9-e2e-tests	8c2c917	link	true	/test rocm-runtimes-ubi9-e2e-tests

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.